Showing results for 
Search instead for 
Did you mean: 

Ironport WSA - Active Directoy Agent


Hi All,

It's been a little while since I deployed a WSA and I see a new tool, the Active Directoy Agent. I understand from the docs it's used to get usernames from AD for the current logged on user when using NTLM authentication for transparent auth.

My question is why?!

When I last set up a WSA with NTLM for transparent auth we didn't have to use the Agent. NTLM revealed the username as part of what it does and we could use that to bind sessions with access policies, etc.

Yet the docs say:

"Create an NTLM authentication realm and enable transparent user identification.

In addition, you must deploy a separate utility called the Cisco Active Directory Agent (AD Agent). "

So, why is that? What does the agent get me that I didn't use to get? Do I really have to use it?

Thanks all!

2 Replies 2

Ken Stieers
VIP Advisor VIP Advisor
VIP Advisor


No you don't have to use it.  It makes a few things work better, namely internet apps that do not support authentication can be authenticated before the app starts using AD.  We have a couple of apps that without the ADAgent, the user has to hit an external web page first, then the app will work.  Also if you're running windows, but the browser of choice can't do AD integrated auth, this would address the issue.. 

The ADAgent is the same app as used for the ASA "Identity Firewall" features, you can use the same install...


Thanks dude, much appreciated. Seems to be a forum fault and I can't mark this as answered will try again soon.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers